Home > Vulnerability Database > CVE-2025-53908

Mend.io Vulnerability Database

CVE-2025-53908

Good to know:

Date: July 16, 2025

RomM is a self-hosted rom manager and player. Versions prior to 3.10.3 and 4.0.0-beta.3 have an authenticated path traversal vulnerability in the "/api/raw" endpoint. Anyone running the latest version of RomM and has multiple users, even unprivileged users, such as the kiosk user in the official implementation, may be affected. This allows the leakage of passwords and users that may be stored on the system. Versions 3.10.3 and 4.0.0-beta.3 contain a patch.

Severity Score

7.7

Related Resources (6)

Url: https://github.com/rommapp/romm/commit/7c94cb05e74ddb6a6af7b82320686c01754e9966

Url: https://github.com/rommapp/romm/blob/4.0.0-beta.2/backend/endpoints/raw.py#L31

Url: https://github.com/rommapp/romm/security/advisories/GHSA-fx9g-xw4j-jwc3

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-53908

Url: https://github.com/rommapp/romm/commit/baa1a9759079c36e36a9f10c920c46b57d0b6151

Url: https://www.mend.io/vulnerability-database/CVE-2025-53908

Severity Score

7.7

Weakness Type (CWE)

Path Traversal: '/dir/../filename'

CWE-26

Top Fix

Upgrade Version

Upgrade to version https://github.com/rommapp/romm.git - 3.10.3;https://github.com/rommapp/romm.git - 4.0.0-beta.3

Learn More

CVSS v3.1

Base Score:	7.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-53908

Good to know:

Date: July 16, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?